Security's rising star, Webroot, plans to offer Web and malware filtering as a service to SMBs, the first vendor of any size to offer such a capability in subscription form.

The software-as a service (SaaS) model, which extends the e-mail filtering service already offered by the company, will appeal to smaller and medium-sized outfits for whom keeping out Web threats with conventional security appliances is now proving increasingly onerous.

Expected to go live in the U.S. in June, the unnamed service will mean business running Web traffic through Webroot datacenters where it will be filtered for suspicious URLs, Web-borne downloads such as Trojans, and vulnerability malware trying to exploit known software holes.

When run with the company's e-mail filtering service, the idea is that the bulk of an SMB's traffic security problems will have been taken care of. Although it can in principle replace desktop anti-malware, the company still recommends users run desktop software as a second line of defense and to intercept threats when using third-party pipes while roaming.

"The advantage of the service model is that you have unlimited computing power and you can do much more. You also have greater visibility [on threats] because you have all the traffic. You can see patterns of outbreak very quickly that you will never see on the desktop," said Webroot's CTO Gerhard Eschelbeck.

He said that the system would be able to stop filtering bypass hacks such as proxy Web sites, even if they were previously unknown. That is the worry -- that cleverer users attempt to bypass filtering services by opening encrypted tunnels to proxy sites.

According to Eschelbeck, the trick with stopping users visiting such sites was to detect the URL obfuscation scheme being used from the five in common use today. And if they come up with a new one?

"We can update the service every day so if we see a new one [obfuscation] happening in the wild, we just update our service. That is not going to be possible on a client or the desktop," he said.

Further details of the service are still unconfirmed but it is likely that subscribing companies would have some control over the parameters applied to their filtering through a Web front end. This would allow requirements to be set on the basis of user or time of day, for instance.

Despite the fashionable jargon of SaaS, the arrival of security-as-a-service marks an important moment for the security industry, hitherto dominated by the idea that security is a problem best solved on the desktop. This model is widely acknowledged to have been under strain for some time as security companies have struggled to integrate new security functions into desktop programs while updating them on a daily basis with ever-larger signature file blacklists.

If there's a downside, it's the investment needed to create the large datacenters across different time zones required to offer reliable services. With a rumored IPO in the offing, Webroot has taken the high-risk approach of sticking investor cash into such a building program on the assumption that the users will come.

Webroot's larger rivals, Symantec, McAfee, and perhaps even Microsoft, have yet to make their hand clear but will watch the upstart's slow progress with mild trepidation. The last thing a company making its money out of software wants is an over-hasty migration to an expensive and complex service-based model for security. For now, mediocre desktop software is just more profitable.

Pricing has yet to be announced by Webroot, as has availability of the service outside the U.S. using dedicated datacenters.